none
List UAC attribute issue RRS feed

  • Question

  • Hi,

    using the following script on any given OU level, I want to list all accounts which have the UserAccountControl attribute value equal 544.

    It means,

    544 = PASSWS_NOTREQD | NORMAL_ACCOUNT

    Unfortunately lists the script also other accounts which have other UAC attribute values.

    Here is the script:

    $OUs = 'OU=marketing,DC=my,DC=domain,DC=com'
    $results=$OUs | ForEach-Object {
    		$attrUAC = Get-ADUser -Properties Name,distinguishedname,useraccountcontrol,objectClass -SearchBase $_ -LDAPFilter  "(&(userAccountControl:1.2.840.113556.1.4.803:=544)(!(IsCriticalSystemObject=TRUE)))" | Sort-Object -Property Name
    		foreach($user in $attrUAC )
    			{  
    				$user | select Name,useraccountcontrol,distinguishedname
    			}
    }
    $results | Out-File -FilePath D:\LOGS\List_UAC_Attr_544.txt -Append

    Here is the results:

    Name  useraccountcontrol distinguishedname                                                            
    ----  ------------------ -----------------                                                      
    User1              66080 CN=User1,OU=marketing,DC=my,DC=domain,DC=com
    User2                544 CN=User2,OU=marketing,DC=my,DC=domain,DC=com
    User3                544 CN=User3,OU=marketing,DC=my,DC=domain,DC=com       
    User4                546 CN=User4,OU=marketing,DC=my,DC=domain,DC=com
    User5                546 CN=User5,OU=marketing,DC=my,DC=domain,DC=com    

    If I run the same script for Integer 546 (instead of 544), or for 66080, they are correctly listed.

    Any idea?

    Best regards

    Birdal




    • Edited by _Birdal Wednesday, July 17, 2019 10:24 AM
    Wednesday, July 17, 2019 9:22 AM

All replies

  • The syntax you are using is for testing against a bit mask. For example, the bit mask for PASSWD_NOTREQD is 32 (in decimal). Since you want an exact value, use the filter clause:

    (userAccountControl=544)

    If you want all users that do not require a password, you could use the clause:

    (userAccountControl:1.2.840.113556.1.4.803:=32)

    The Get-ADUser cmdlet already restricts the results to users. Using the bit mask will retrieve all users that don't require a password, even if they have other settings, such as disabled or smartcard required. Using the exact value 544 will only retrieve users that are not required to have passwords, and have no other settings specified in userAccountControl. Note 512 (normal user) + 32 is 544.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)




    Wednesday, July 17, 2019 3:40 PM
  • Hi Richard,

    Perfect! Thank you.

    Can I change only and only UAC property flag "PASSWD_NOTREQD" using powershell for all users? But other UAC property flags MUST BE KEPT in the changed user objects.

    With which command I can make this change?

    Best regards

    Birdal



    • Edited by _Birdal Thursday, July 18, 2019 7:59 AM
    Thursday, July 18, 2019 6:36 AM